diff options
author | Juergen Gross <jgross@suse.com> | 2022-09-15 15:05:45 +0200 |
---|---|---|
committer | Juergen Gross <jgross@suse.com> | 2022-09-16 09:50:47 +0200 |
commit | ce6b8ccdef959ba86b2711e090e84a987a000bf7 (patch) | |
tree | 9af15f722443674ace27b3e8049b1e4ec7ddb771 | |
parent | xen/grants: prevent integer overflow in gnttab_dma_alloc_pages() (diff) | |
download | linux-ce6b8ccdef959ba86b2711e090e84a987a000bf7.tar.xz linux-ce6b8ccdef959ba86b2711e090e84a987a000bf7.zip |
xen/xenbus: fix xenbus_setup_ring()
Commit 4573240f0764 ("xen/xenbus: eliminate xenbus_grant_ring()")
introduced an error for initialization of multi-page rings.
Cc: stable@vger.kernel.org
Fixes: 4573240f0764 ("xen/xenbus: eliminate xenbus_grant_ring()")
Reported-by: Sander Eikelenboom <linux@eikelenboom.it>
Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Oleksandr Tyshchenko <oleksandr_tyshchenko@epam.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
-rw-r--r-- | drivers/xen/xenbus/xenbus_client.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/drivers/xen/xenbus/xenbus_client.c b/drivers/xen/xenbus/xenbus_client.c index d5f3f763717e..d4b251925796 100644 --- a/drivers/xen/xenbus/xenbus_client.c +++ b/drivers/xen/xenbus/xenbus_client.c @@ -382,9 +382,10 @@ int xenbus_setup_ring(struct xenbus_device *dev, gfp_t gfp, void **vaddr, unsigned long ring_size = nr_pages * XEN_PAGE_SIZE; grant_ref_t gref_head; unsigned int i; + void *addr; int ret; - *vaddr = alloc_pages_exact(ring_size, gfp | __GFP_ZERO); + addr = *vaddr = alloc_pages_exact(ring_size, gfp | __GFP_ZERO); if (!*vaddr) { ret = -ENOMEM; goto err; @@ -401,13 +402,15 @@ int xenbus_setup_ring(struct xenbus_device *dev, gfp_t gfp, void **vaddr, unsigned long gfn; if (is_vmalloc_addr(*vaddr)) - gfn = pfn_to_gfn(vmalloc_to_pfn(vaddr[i])); + gfn = pfn_to_gfn(vmalloc_to_pfn(addr)); else - gfn = virt_to_gfn(vaddr[i]); + gfn = virt_to_gfn(addr); grefs[i] = gnttab_claim_grant_reference(&gref_head); gnttab_grant_foreign_access_ref(grefs[i], dev->otherend_id, gfn, 0); + + addr += XEN_PAGE_SIZE; } return 0; |